Quick background. We are running Subversion Server 1.6.5 (No Apache just the SVN server) on a Windows box with no web access. We only use TortoiseSVN and AnkhSVN and for continuous integration we use the svn client command line.

OK, so I've looked around on the NET and read the SVN book a bit and I don't understand why this user setup does not work.

From what I've read, you have to grant all users at a minimum read access to the root of your repository. OK, fine. That works. Next up my /Dev/SourceCode directory should only be accessible to @devUsers, but for some reason in TortoiseSVN's repo-browser, @qaUsers can see this folder. I'm guessing the global read access on / is overriding the ~devUsers = line in the authz file? And same goes for the /Dev/TestCases folder that should only be accessible to @qaUsers, yet @devUsers can view this folder too. That's one of my problems.

The main problem though is that /Dev/SourceCode's subfolders are only read-only. I know this because when I attempt to check in something into a subfolder it says authorization failed. However, in the root folder, if you check in a file, it works fine.

I'm guessing this is the / read-only access overriding things again. Does this mean that each subfolder has to be given explicit rw permissions? Is there anyway to say from this point on use the current parent folder's permissions?, i.e. /Dev/SourceCode's permissions . This seems really inconvenient if you want to grant rw permissions to to all subfolders when there are many subfolders.

The cascading of permissions should work as you expect; there's no need for permissions on every dir. You only need to specify the more specific paths to override the permissions from the parent, as you are doing.

I'm not familiar with the ~groupname syntax. You're clearly intending it to mean negation (users not in the group) but I'm not sure it's supported. Try something like this (your first two sections for group defs and root access the same):

This should work, although denying your developers access to the test cases makes me sad.

EDIT: Since you've tried this, and it doesn't work ... maybe try reversing the order? The matching is supposed to happen on most-specific to least-specific, so the order shouldn't matter, but I would at least try putting these earlier in the file than the [/] permissions. If that makes a difference, then I would suspect a bug in your server version.

The config I posted isn't my real breakdown, so don't worry, devs can see test cases ;) . Also what you posted doesn't work. I tried this before and ended up with the same result. @devUsers could see what they're not supposed to. As well, the cascading of permissions does not appear to work. Well it does, but the cascade appears to work from the root so people get read-only access for every folder except the folders I deem rw.
–
nickytonlineJul 27 '10 at 13:01

... you sure there isn't a typo (e.g. case) in your [/Dev/testCases] definition? (You're on Windows: I know that Windows will display things as 'Dev' if they are actually named 'DEV', for example ... but SVN will probably care)

... also, you sure it isn't supposed to be [/trunk/Dev/testCases] or something?